Here you can see that it retrieves a lazy initialization request (ext4_li_request) based on the provided super block parameter. Then it locks it using its MUTEX lock and removes it by calling ext4_remove_li_request() routine.

Although this appears to be fine, there is a race window between the retrieval of the ‘elr’ and the removal since the locking takes place only during the removal. During this small race window, there is a possibility of invoking ext4_lazyinit_thread() located in the same source code file which could free the same request as shown below.